Browser makers block rogue SSL certificate

Hackers have acquired a digital certificate from a certificate authority enabling them to issue
fraudulent public key certificate requests to a number of domains, including websites owned by
search engine giant Google.

The certificate breach at Dutch certificate authority, DigiNotar, a subsidiary of VASCO Data
Security International Inc., gave the cybercriminals the ability to use a

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

rogue SSL certificate to hijack Gmail accounts and spoof secure websites that
use SSL and EVSSL digital certificates for security and to prove their legitimacy to users. The
breach took place July 19. In a statement issued by VASCO, the company said it thought it had revoked all fraudulent certificates.

“Recently, it was discovered that at least one fraudulent certificate had not been revoked at
the time,” the company said. “After being notified by Dutch government organization Govcert,
DigiNotar took immediate action and revoked the fraudulent certificate.”

The attack was targeted at the systems DigiNotar uses to issue its digital certificates. The
certificate authority is temporarily suspending the sale of its SSL and EVSSL certificates until
the conclusion of additional security audits. VASCO said the systems that run its strong
authentication business were not affected by the breach. Details of the stolen certificate were
posted to a public forum last Saturday.

“This means Chrome and Firefox users will receive alerts if they try to visit websites that use
DigiNotar certificates,” wrote Heather Adkins, an information security manager at Google in the
Google Online Security blog. “To help deter unwanted surveillance, we recommend users, especially
those in Iran, keep their Web browsers and operating systems up to date and pay attention to Web
browser security warnings.”

Attackers have targeted certificate authorities in the past. In March, hackers stole certificates from Comodo Inc. after they penetrated the systems
of one of its partner registration authorities.The breach resulted in nine fraudulent certificates
issued to seven Web domains, including search engine giants Google and Yahoo. An Iranian hacker
claimed responsibility for stealing the SSL certificates. Comodo said at no time were any Comodo
root keys, intermediate CAs or secure hardware compromised.

Major IT companies like Black Hat and Google spoke out against the proposed Wassenaar Arrangement rules for cybersecurity software, and those protests have caused the U.S. Dept. of Commerce to commit to drafting new rules.

News roundup: New threats add to the Tor anonymity debate as a new browser aims to take anonymous browsing to the next level. Plus: Android security outlook bad -- or is it?; another Xen host escape flaw; Wassenaar revisions put on hold.